How To Secure A WordPress Blog – Beginner To Pro

In recent times, WordPress has been highly targeted by hackers. Since WordPress uses MySQL and PHP, it’s not tough to find a vulnerability in WordPress.

Here I’m sharing some newbie tips to secure your WordPress blog. These are basic tips, but sometimes missing these basic tips may lead to losing your WordPress blog to some hacker.

WordPress powers around 25% of the websites in the world & is currently the most popular CMS apart from dedicated blogging software.

I can quite confidently say that being a user of this awesome CMS for the past 6 years, I simply love the fact that I can choose from thousands of plugins from the WordPress plugin database. The plugin database has never failed me.

That is the good part, but wherever there is good, there is also evil too. My site has been hacked nearly 6 times in the past by some Arabian and Turkish hackers (at least that’s what they claim). They infiltrated my site and left it with an ugly black background featuring GIF images of skulls and ravens.

Most hack attacks are done by something called an SQL injection.

Nowadays, it has become a necessity to do all the preliminary safeguarding measures to keep these hackers at bay.

Proven Tips To Secure Any WordPress Blog

1. Configure Backups

Even though I have given a lot of proven tips below to secure your WordPress blog, you need to ensure that if something happens, you won’t lose anything.

Not having a proper WordPress backup solution in place is the biggest mistake you can make. When a big site like Sony or Dropbox can be hacked, your WordPress blog will be relatively easy to be cracked by a hacker. So the first thing is to ensure you are taking a daily backup of your blog.

If you are earning money from your blog, I suggest using VaultPress for taking backups which only costs $5/month. You might argue that your hosting offers backup, but this is only good if they store the backup on a different server.

2. Use A Reliable & Secure Hosting Company

Your WordPress installation is just software installed on a server. The foundation of a secure website is a server which has enough protections that ensure your website is safeguarded against hackers. A free web-hosting company is a big no-no & something you should avoid.

Make sure your hosting company has proper rules set in place & has firewalls to stop an attack on your site.

I understand that it’s hard to know which hosting company is reliable against hackers & that’s why I have created this quick list of hosting companies that offer great security on their server:

Keeping your WordPress software up to date is the most basic security tip for any WordPress blogger. This is something that you never want to miss.

Whenever WordPress is sending an update, it means that they have fixed some bugs, added some features, and most importantly, added some security features and fixes.

When you see the message: “WordPress x.x.x is available!”

Update it.

Nowadays, with one click updates, it’s very easy to upgrade your blog.

Make sure your theme and plugins are compatible with this latest version of WordPress. If an update has been rolled out and it’s not a security update, I suggest you wait for 5-6 days before other users stop reporting bugs in the latest version.

4. Update WordPress Plugins

As I mentioned above, WordPress releases an update to fix bugs and security holes, and the same goes with plugins.

Many times, a vulnerable plugin or script can cause an entry point into your WordPress site. One such issue which we have seen in past is the Timthumb vulnerability. This was because of a script, and many plugins which were using this script became vulnerable too.

It’s important to keep your plugins updated. Always use plugins which are continually updated and have good support. Being dependent on plugins which are not updated is a bad idea.

Let’s assume you don’t have those 2 minutes to update your WordPress core files. The listed WP version can spark an idea for a hacker to break in. If you are running an older version of WP and everyone knows it, trust me, you are doomed.

Most theme designers these days get rid of it for you, but just to make sure, go to your functions.php and add this line:

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

6. Use A Complex Login Password

I shouldn’t have to mention this, but I know too many people who use ingenious and insanely complex passwords like:

password

ilovejesus

123123

Brilliant.

Please make your passwords complex, add a couple of special characters (%&*#), and keep changing it every 5 or 6 months.

I would also like to recommend a plugin called Login Lockdown. This plugin will record all IPs and time stamps of failed login attempts. After a specific number of failed attempts from a particular IP, the IP will be blacklisted. This helps a lot to prevent any brute-force attack.

Go to the File Manager in your cPanel, or log in to your FTP software, and check the file attributes of your WordPress folder.

It’s good if it’s 744 (read only). If you find it to be 777, consider yourself extremely lucky that you haven’t gotten hacked yet.

When most bloggers change hosting, they don’t realize how their file permissions also get changed. Make sure you verify all file permissions after migrating your hosting. You can also use a plugin like File Permissions and Size Check to check all of your WordPress folders and file permissions from the dashboard.

8. Delete Default Admin User

This is one of the most crucial tips for people who are looking to create a secure WordPress blog. The default “admin” username is prone to brute-force attacks because most people never change it.

When you install WordPress, make sure you use a custom username and do not use “admin”.

You can create a new user with “Administrator” rights, and give this new administrator a nickname that will be publicly displayed in case he/she writes a post. Now, log out and then log back into the newly created admin account and delete the old “admin” user.

Make sure you attribute all usernames and links to the new user which you have created.

In older versions of WordPress, if there were errors in the MySQL database, it would show the exact error on the browser itself giving the hacker valuable information about your database.

To prevent this, you need to update your WordPress to the latest version, so that it will only show a general error message like “Database connection error” instead of showing exactly what’s wrong

Log in to your WP dashboard and update your WordPress core files.

Creating A Secure WordPress Website

This is not everything; there are many other tips which you should be following to create a secure WordPress blog. One tip which I highly suggest is that you stop using anencrypted footer WordPress theme. If you are serious about your blogging, download a theme from the official repo, or better yet, use a Premium WordPress theme.

Nice collection of list of securing wordpress blogs. Even wordpress security scan plugin does a good job. It checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:

The methods mentioned in this post are really nice but I don’t think any one of these will work out when a professional cracker wants to take your WP down. For example, Symlink can be used to surpass the above security steps…

Hello; that was a great article on keeping your wordpress blog safe. However, for me there is one point. When you are running a screen reader, which I do as a totally blind computer user; you have to be careful about updates to any software you use. Updating to the most recent version can often result in not being able to use it at all or having to put up with headaches and pulling hair out until your screen reader is updated to catch up with some of the latest software updates. otherwise, a very good article that was easy to follow even when discussing difficult technical issues. thanks, max